Frequently Asked Question

No.  When validating compliance, either through a Report on Compliance (ROC) or a self-assessment questionnaire (SAQ), requirements should not be ‘combined’ from two versions of the standard – validation must be to one version in its entirety.

When the PCI DSS is updated, it is understood that organizations may need time to complete their transition from a previous version to the current one.  During this transition, their environment may reflect aspects of both versions of the standard. However, when it comes to reporting and validating compliance, only one version can be used.

As always, entities with specific questions about how to report their compliance validation should consult with their acquirer (merchant bank) or payment brand, as applicable..